Pages

Tuesday, 5 July 2016

2 Factor Authentication & Why You Need It

Most of us know someone who's had one of their accounts hacked. Sometimes it's email, sometimes its Facebook or other social media, but one thing is clear: the bad guys want your access and they know how to monetize it.

"Who would want to read my email?" I can hear some of you saying. The answer is they don't, they want to mine it for financial or personal information they can sell, or use it to solicit money from your friends and family.

The scam works like this: The bad guys hack your password and send an email to all your contacts claiming to be you and begging them to wire funds because you are stranded.

Sounds silly right? If it didn't work they wouldn't do it. Even if only 1% of the people take the bait it can be significant, and the level of effort to get the money is extremely low.

A username and password aren't enough these days, you need something more. So how can you protect yourself? The answer is 2-factor authentication.

2-factor authentication (2FA) requires you to provide something you know (your username and password) and something you have (a token code) in order to log in. Using this method means that even if the bad guys guess your username and password they still can't log in, because they lack your token.

Many companies these days use some form of 2-factor authentication to protect themselves and their employees, why should you deserve any less?

Where can I use it?
A growing number of consumer services offer free 2FA, including Google, Facebook, Twitter, and Microsoft.

Google provides a free authenticator app you can load on your smartphone (Android or iPhone), just download it and link it to your Google account.

Once you have the app set up and your account configured any time a login request is made from a device it will prompt you to provide the token code in addition to your username and password.

Alternately if you don't have a smartphone or use an older BlackBerry, you can have Google text you a code instead of using their app.

"Oh come on, I don't want to have to do that every time I check Facebook."

I agree, which is why all these services will let you set your personal devices to not require the token. Now when you go to gmail it just lets you in as usual, but any attempt to access your account from a new device (or a bad guy half way around the world) will be stopped by the token requirement. Basically you've added an extra security layer for unauthorized access prevention without really inconveniencing yourself.

What I like about the Google Authenticator app is it can be used for more than just your gmail account, Facebook and other services have the ability to use it as well. I can use one app to protect multiple accounts.

Microsoft takes a similar approach. As with Google, you can flag your personal devices to not require the 2nd level of authentication while still requiring it for all other devices.

Once you're finished, you'll be taken to the 2-Step Verification settings page. Review your settings and add backup phone numbers. The next time you sign in, you'll receive a text message with a verification code. You also have the option of using a Security Key for 2-Step Verification.

Click Send code to add your phone number. (Note: If you already have a phone number associated with your Twitter account, we will send you an SMS to confirm your number.)

Enter the verification code sent to your device, then click Submit.

To proceed, click Continue.

Click Get Backup Code to generate a code. We recommend you store a screenshot of the code in case you need it for future use. This will help you access your account if you lose your mobile phone or change your phone number.

Now, when you log in to your account on twitter.com, Twitter for iOS, Twitter for Android, or mobile.twitter.com, a six-digit login code will be sent via text message to your phone. Enter the code when prompted to access your account."

Other services use slightly different models, some only support texting you a code, some offer an app that pops up a message letting you know there is a log in attempt and asking you to confirm it's ok.

I don't recommend the USB or biometric (fingerprint) approach, it may be overkill for your personal use, but I strongly suggest that everyone use 2FA to protect themselves. It's minimal effort to set up and can really help.

The bad guys are counting on people being too uninformed or lazy to bother. Readers of this blog don't have to fall in to either category.